Chapter 5
Configuring SGACL Policies
Command
Step 5
[no] cts role-based permissions {default
|[from {sgt_num | unknown} to {dgt_num |
unknown}]{rbacls | ipv4 rbacls}
Example:
Switch(config)# cts role-based
permissions from 55 to 66 allow_webtraff
Step 6
Switch(config)# end
Step 7
Switch# show cts role-based permissions
Step 8
Switch# show ip access-lists
allow_webtraff
Configuration Examples for Manually Configuring SGACL Policies
Catalyst 3850 IPv4 Manual SGACL policy:
Switch(config)# ip access role allow_webtraff
Switch(config-rb-acl)# 10 permit tcp dst eq 80
Switch(config-rb-acl)# 20 permit tcp dst eq 443
Switch(config-rb-acl)# 30 permit icmp
Switch(config-rb-acl)# 40 deny ip
Switch(config-rb-acl)# exit
Switch(config)# cts role-based permissions from 55 to 66 allow_webtraff
Switch# show ip access allow_webtraff
Role-based IP access list allow_webtraff
Switch# show show cts role-based permissions from 50 to 70
XXX need output XX
OL-22192-02
10 permit tcp dst eq www
20 permit tcp dst eq 443
30 permit icmp
40 deny ip
Manually Configuring SGACL Policies
Purpose
Binds SGTs and DGTs to the RBACL. The
configuration is analogous to populating the
permission matrix configured on the Cisco ISE or the
Cisco Secure ACS.
Default—Default permissions list
•
sgt_num—0 to 65,519. Source Group Tag
•
dgt_num—0 to 65,519. Destination Group Tag
•
unknown—SGACL applies to packets where the
•
security group (source or destination) cannot be
determined.
ipv4—Indicates the following RBACL is IPv4.
•
rbacls—Name of RBACLs
•
Exits to Privileged Exec mode.
Displays permission to RBACL configurations.
Displays ACEs of all RBACLs or a specified RBACL.
Cisco TrustSec Switch Configuration Guide
5-5